[gnutls-devel] Question regarding key exchange priorities

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Jul 14 17:30:33 CEST 2013

On 07/14/2013 01:52 PM, Matthias Wimmer wrote:
> Hi,
> I have seen that in february the priority of a pure RSA key exchange has
> been changed. In the SECURE* defaults GNUTLS_KX_RSA is now prefered over
> the DH key exchanges GNUTLS_KX_DHE_RSA and GNUTLS_KX_DHE_DSS.
> (https://gitorious.org/gnutls/gnutls/commit/eff2ae1606c7fea45dd1178de60b5cbf5c1012f9)
> Is this change related to the problem described in
> http://lists.gnutls.org/pipermail/gnutls-devel/2013-February/006128.html?

Yes indeed. The ECDHE ciphersuites now replace DHE to provide forward
secrecy, because DHE had the compatibility issues discussed in the
thread above.


More information about the Gnutls-devel mailing list